docs: add note about --dns.resolvers (#2364)

Co-authored-by: Fernandez Ludovic <[email protected]>
go-acme · Nov 29, 2024 · c2f179f · c2f179f
1 parent 8e5448c
commit c2f179f
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/docs/content/usage/cli/Obtain-a-Certificate.md b/docs/content/usage/cli/Obtain-a-Certificate.md
@@ -58,6 +58,21 @@ GANDI_API_KEY=xxx \
 lego --email "[email protected]" --dns gandi --domains "example.org" --domains "*.example.org" run
 ```
 
+{{% notice title="For a zone that has multiple SOAs" icon="info-circle" %}}
+
+This can often be found where your DNS provider has a zone entry for an internal network (i.e. a corporate network, or home LAN) as well as the public internet.
+In this case, point lego at an external authoritative server for the zone using the additional parameter `--dns.resolvers`.
+
+```bash
+GANDI_API_KEY=xxx \
+lego --email "[email protected]" --dns gandi --dns.resolvers 9.9.9.9:53 --domains "example.org" --domains "*.example.org" run
+
+```
+
+[More information about resolvers.]({{% ref "options#dns-resolvers-and-challenge-verification" %}})
+
+{{% /notice %}}
+
 
 ## Using a custom certificate signing request (CSR)
 

diff --git a/docs/data/zz_cli_help.toml b/docs/data/zz_cli_help.toml
@@ -99,6 +99,7 @@ OPTIONS:
    --always-deactivate-authorizations value  Force the authorizations to be relinquished even if the certificate request was successful.
    --renew-hook value                        Define a hook. The hook is executed only when the certificates are effectively renewed.
    --no-random-sleep                         Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. (default: false)
+   --force-cert-domains                      Check and ensure that the cert's domain list matches those passed in the domains argument. (default: false)
    --help, -h                                show help
 """